Archive
Rehabilitating Linux
The mission comes first in all things.
I still use Linux. There is only one real reason anyone would choose Linux over Windows: control. MS will never yield the level of control we users would like. The nifty little secrets are out there on the Net, but it often requires arcane knowledge to work through some of the truly Orwellian obfuscations for items many Linux users do routinely. The reason is simple: MS makes money by delivering you, the user, to their business partners. They retain this power to make money because they allow some governments complete and open access through back doors to the system. That criminals also find and use those back doors is simply the cost of doing business. Unfortunately, the cost is usually born by you, the user.
The only reason to keep using Windows is the wealth of tools for which Linux and Open Source do not offer a replacement. So you like LibreOffice? Fine, but they do not have a valid grammar checker and the interface will always have serious glitches not present in any other office suite. That’s because people who really love Open Source will tolerate those glitches and the developers ignore everyone else. Sometimes it’s just a careless UI design and layout. You have to run through an extra three or four actions to get the same results as you would with, say MS Office (any version).
So here’s the deal: Which new features added to MS Office since Office 97 do you use? I don’t use any of them, either. Some of the defaults have actually gotten annoying. Did you know you can run some of those older versions on Linux using Wine? That’s a sort of emulator, allowing you to get a sometimes workable replication of Windows for some software. At various times using different versions of Wine, I’ve run Office 97, 2000 and 2003. I’m willing to bet one of those will serve most of your needs. Later versions do sometimes work, as well, but really grab a lot of system resources in the process. You can get copies of the older versions cheap or free, if you know who to ask.
So the real issue comes down to which system offers the least painful options. I’ve been playing with Linux Mint because they offer releases with long term support. It’s a step in the right direction, in part because they understand the real need for keeping the older style UIs. So you can use MATE, which is the current version of GNOME 2, so to speak. Or you can use Cinnamon, which is GNOME 3 made somewhat sane. I prefer the former. At any rate, I’ve got Word 2000 working on it and that’s good enough for my grammar checking needs.
However, I still can’t recommend Mint to Windows users unless you have the time to do some serious homework. It still is too much like Ubuntu where far too many defaults are not aimed at the most common user needs. Too often those defaults are really hard to change. Mint folks aren’t nearly so forthcoming on offering simple fixes as I have seen with Ubuntu. There are some Mint users posting their fixes on blogs and such, but too often they are aimed at elitist ends. That is, it’s one elitist Linux user helping another elitist, while nobody bothers to help those of us with more common user needs. Far too many things which should rightly be almost automated are made intentionally obscure and difficult. You have to manually update FlashPlayer, for example. That’s not simple and I’ve yet to find simple directions for it; I can do it the hard way, but I don’t recommend it.
Unless you really need the latest and greatest, I still recommend Scientific Linux/CentOS 6 for most users as the shortest and least painful path to migration. I’ve already written that up (see the links on this page regarding RHEL). You can get Wine and it will run at least one version of MS Office. There is a provision for most of the arcane hardware drivers somewhere in the system which supports the users of RHEL and clones. There is often a way to get some of the latest and greatest when you really must have it. Best of all, it is exceptionally secure, more so than most types of Linux, because the security stuff is turned on by default and quite sane. I will probably keep it on my laptop.
Feel free to ask my advice.
Wireless Carrier SNAFU (Updated)
You may recall the acronym SNAFU approximates: “Situation Normal, All Fouled Up.”
Is anyone really surprised at the depth of detail in which this Carrier IQ company is logging your every touch and use of your smartphone? Pay attention to the details if such things matter to you — it’s found on many Android, Blackberry and Nokia phones. So far, no one has piped up with a similar discovery on Apple phones.
Given the current fascist bent in government and corporate cuddling, you would hardly be surprised if Eckhart is labeled a “hacker” in the pejorative sense, and perhaps even a terrorist. He’s using a cable connecting his smartphone to a computer running Ubuntu, which is able to track every hidden data transfer using what we call a “packet sniffer” — something long a standard tool on Linux and Unix, if you know how to activate it. I once used it to discover how and why the old Mozilla browser suite was refusing to run on a system I had some years ago. The browser was ignoring the networking information the operating system had established and was trying to make its own connection queries independently. I never got an answer why that was, but that behavior changed in the next release, as I recall.
Meanwhile, it seems this CIQ snooping only applies in the US, so far. It’s probably not illegal, just utterly immoral and unethical. Naturally, that means it is precisely what most wireless carriers will do because there’s money in it. I’m sure, somewhere buried in the contract, is the permission signed away to do just this sort of snooping. This will create a firestorm of protest from interested parties, and I wonder if any lawsuits will arise.
This is just a snapshot, a quick peek under the covers. Valid and ethical information gathering would be signal strength and such, but this is pervasive and detailed down to the hardware level of keycodes and the like. This information is being stored, and this is what government queries, not simply to gain an unfair advantage in prosecution, but simply in the now-normal pervasive surveillance of which we all need some awareness.
This is not a simply mistake or miscalculation; it’s wholly calculated and evil.
Update: I’m reading all the apologists and backpedaling coming out on the Net regarding this issue. More than one has said it’s all necessary and for your own good, to improve service, etc. So let’s run down the main points.
1. Consumers are not properly informed. This is not simply the matter that it’s buried in the long legalese contract, but that everyone with half a brain knows a great many users would be shocked by this if they knew and would drop the account and find another provider who didn’t pull this stunt. Sprint is currently the most egregious violator with the poorest apology, and stands to lose some serious business on this.
2. Carrier IQ is outright lying about what their software does. This isn’t simply the device paying attention to your inputs. This was caught by packet sniffing — watching the traffic as it goes out over the network and home to CIQ servers. Every useful interaction you have with that device goes directly to CIQ servers, recorded in detail with your ID and everything. It’s also sent in the clear, unencrypted, even when you are otherwise encrypting everything with another network entity. This is criminal negligence, because this defeats the whole purpose of encryption. CIQ is invading your privacy to the nth degree, recording it all on their servers, and exposing your traffic unencrypted to any fool with an ounce of technical intelligence to intercept it. Granted, it’s up to your carrier to pay for whatever portion of this data they want, but CIQ has you by the short and curly hairs.
3. You as user have no options. You aren’t permitted any access to this stuff. If you wish to use something which is now very nearly an essential utility service, necessary for normal social interaction and business with just about anyone except the local migratory bird population, then you are forced to swallow this.
Finally, I fully expect the geeks and nerds to discover, say Verizon, is lying about their complete denial of this. But that won’t matter. CIQ is the real evil culprit here, and I’m willing to bet they have ties to some covert US government agency one way or another.
Update2: I stand corrected; it is not packet sniffing we see in the video, but log sniffing. That is, our intrepid geek Eckhart is running a utility which picks up the internal chatter, echoing what CIQ is recording in its logs. So it may well be not everything is shipped out, but the mere presence of such depth leads us to wonder how it is the CIQ logs are parsed and pared down, if they are, prior to transmittal to the servers. Until CIQ comes clean, it doesn’t really change our suspicions.
Your Facebook Spyware Is from the Government
Forgotten in all the hubbub about OBL is something the Electronic Frontier Foundation reported a few days ago.
When fixing computers for people, most of what I do is remove spyware, followed numerically by a handful of viruses. The biggest single source of spyware is game downloads followed by social media. Facebook is a primary source of trouble, with several spyware infestations already famously coming from there.
But some of that Facebook spyware could have been planted by the US government. That makes it actual spy-ware.
I seriously doubt my work has interfered with any ongoing investigations. In the past, the anti-malware and anti-virus companies have tended toward not playing well with governments on this issue, but given what I know about my clients, I doubt any of them are much of a threat to anyone, except perhaps themselves. However, given the whole thing turns on the willingness of their investigative targets to do silly things like wasting time on Facebook, I’m confident they have no trouble re-infecting target machines someone accidentally sanitized. I’ve not convinced a single client to get rid of their Facebook account.
There are a couple of interesting things we can take from this, aside from the very plain thrust of the EFF article — that the FBI and others were willing to plant this spyware without proper accountability.
With this and the revelations from the HB Gary fiasco, it shows us there are still numerous security flaws in Windows and off-the-shelf commonly used software. There is a big industry in unreported vulnerabilities, and keeping them unpatched is critical to both government and crime (which is which?). We can’t be sure Microsoft isn’t playing along with this industry by pretending they don’t know about some of the vulnerabilities, and we have no reason to believe them when they deny they granted the NSA a backdoor in Windows 2000, at least, if not every version of Windows before or since then. Do you trust them? I don’t.
But even what is advertised as the most secure popular OS — OpenBSD — is alleged to have had for some time now a back door sponsored by the government. We may never get to the bottom of that one. And should we trust the NSA to be honest about their work in helping secure Linux via SELinux? Can we believe them when they say there is nothing hidden in anything the US government, or others government spook outfits, have not touched, even in the land of Open Source?
When it comes down to it, I don’t trust anything I didn’t create with my own hands, and I don’t trust my own hands that much. It doesn’t matter if you have nothing to hide. At the very least, the first time I raised my right hand and took the oath of enlistment in 1979, whatever privacy I may have once had was long gone. I am fully compromised, lacking only the next new invasion of privacy in the form of mandatory chipping of my body for easy tracking. I keep wondering when the VA medical system will announce they can no longer treat anyone without such a chip, so get it now.
I don’t pretend by running Linux on my laptop I have frustrated any snooping, except by the relatively minor threat from questionable marketing trackers. Even on Windows we can defeat most of that. As far as I am concerned, my privacy was compromised long ago. Whatever it is I hope to do in the future had better not depend on privacy and secrecy of that sort. We find Orwell’s nightmare visions credible because we know people will do some of the awfullest things to each other for the stupidest of reasons. The only limits on government immorality is a lack of creativity. Psychopaths are forced to rely on the pool of talent which gravitates to the suffocating inhumanity of government service. Government is riddled with incredible incompetence, but the real problem is simply how large it is, and how wide the net is cast for relatively silly things it tries to control.
What I was hoping to put before you today, dear reader, is the silliness of the whole thing. The government’s Keystone Cops level of incompetence works because too many people are silly enough to put their lives on Facebook. The two sides of this equation deserve each other. Never mind my mad chatter about Christian Mysticism and being a prophet of God; any secular intelligence can see this is silly on a purely human level. Are we reduced to the point the government efforts at law enforcement are going after the kind of people who suffer such a common grade of vanity? Think about that for a moment. Why do we still call this “civilization”?
Basic Computer Help Service
This is an outline of what I do when people bring me a computer which isn’t working properly. Aside from undoing mistakes and diagnosing hardware failures, most of it consists of cleaning up the operating system. There are no secrets here, and this has been pretty successful with most of my clients. You can save a lot of money using these ideas.
1. If possible, I convince them to switch from Windows to Linux. I’ve never seen a personal computer running Linux compromised, nor heard of one. I’ve not seen any misconfigured by user mistakes once properly installed, even when the user knows the root password and understands how it works. I am always eager to devote significant amounts of time teaching folks how to get used to the Linux way of doing things. I select the Linux distribution based on how they use it, but my choices are limited to Debian, Ubuntu LTS, and CentOS for the simple reason each of these will be stable and supported for a minimum of three years for each release.
2. Assuming they stick with Windows, drop into safe mode and run virus and malware scans. As soon as the BIOS starts to hand off to the operating system, hit the F8 key, and select “Safe mode with networking” so you can download updates to the scanners which offer it. My favorites are Vipre Rescue for viruses (updated daily) and Malware Bytes free version for spyware. Allow significant time for each scanner to complete, and remove the junk they find. If you can’t even boot the system, you can get a bootable rescue CD with a scanner which might be able to recover the system enough to try booting again. I would never trust McAfee or Norton, but I have used the BitDefender and Kaspersky CDs to good effect. They take a very long time to run.
3. While in safe mode, make sure a good AV and malware package are installed for regular use. You can purchase the full version of VIPRE from Sunbelt/GFI, but I find Avast works better for most people. The free version will do if you can’t afford the regular. After installing Malware Bytes free version, you can leave it on the system, but you have to run it manually, because live protection comes only with the purchased version. I recommend running it weekly, but be sure to update first each time.
4. Still in safe mode, uninstall software you are not using, or which weakens security and privacy. The greatest threat comes from entertainment. Those who produce entertainment know you won’t likely pay much up front — not nearly as much as they want, anyway. So they let advertisers pay for it by saddling you with advertising. Those $10 and even $20 games at the big box stores are some of the worst, eclipsed only by the freebies you can download online: Wild Tangent, Pop Cap, iWin, etc. Each of them insists on installing their gameware server, or browser toolbars, and other associated junk software which slows down the system, allows them to track your every touch on the computer, and frankly opens the door to spyware and viruses. Very few download games are safe, and it takes time to learn those which are. Similar warnings apply to music downloaders and players.
The other kind of software which risks security is social software. Don’t download stuff related to Facebook (like FlipToast) or any other social networking site until you understand what risks are involved. Each of them is basically tracking you all over the Net, and they are loaded with vulnerabilities exploited by criminal elements. Don’t let your instant messengers load automatically unless you are using something like Pidgin, which is considerably safer than most alternatives.
Finally, a major culprit for bundling useless and resource-hogging software is Apple and their Safari-iTunes package. If you don’t desperately need what they do, get rid of them completely. Even QuickTime can be replaced with good, free and secure alternatives, such as the K-Lite package. Get the Mega package, and use the bundled Media Player Classic as your default media player. Another is Adobe. You can get a decent and very secure PDF reader called Sumatra. Not fancy, but adequate. If you need more features, try Foxit or PDF-Xchange. Both are less of a threat to you than Adobe.
5. Check security settings. Turn on updates, at least to the point of being notified when they are available. Turn on the Windows firewall; it may not be the best, but it’s better than nothing. If you can afford it, find out what sort of firewall/router device is appropriate for your Internet connection and buy one. If you don’t understand firewalls, use whatever wizard comes with the package. You must change the default password for accessing the device; choose a good one based on something such as the first letter of a phrase or song lyrics you know you’ll remember. Keep the mixed capitals and lower-case and punctuation, and substitute a numerical digit for at least one of the letters. Make sure it’s not less than 8 characters.
6. Consider changing your Net surfing habits. Especially with Windows, use just about any browser but Internet Explorer, saving it for those few websites which simply will not work otherwise. Install Firefox configure it with security addons. Use this for basic surfing and all the random stuff you do; make it your default browser. But for strictly business, or sites where you have to login often, even if it’s as frivolous as blogging or Facebook, use a different browser. I recommend Opera for Windows, though it will take some time to understand and browse the configuration options. It remains one of the most secure browsers, and it’s built-in email client is excellent for security uses. You can also use Google Chrome, but it’s not as fully developed, yet. It’s challenging to configure some of the settings you might want to change. However, it includes the advantage of built-in Flashplayer and PDF display. Again, it will take some time to dig around the configuration settings, and getting used to a very different set of functions. It has some of the same security addons as for Firefox, called “extensions.”
For some, the safest way to handle email is using one of the webmail providers, instead of downloading email directly to the computer. This will surely compromise privacy, particularly with Gmail, but any viruses will be on their computer, not yours. Yahoo and a few others will scan attachments for threats before you download them. Frankly, I like to use foreign-based webmail providers. A good example is GMX.net, based in Germany. The interface is in German, but there are others like them who accommodate English language users. GMX does have an American-based operation (GMX.com), but their site has been pretty rude about blocking browsers other than IE. You can always try Hush Mail and others.
Finally, stop using Google, Bing or Yahoo as your default search engine. Both will track your searches in such a way they can be traced back to you personally, and sell that information to advertisers. Use StartPage or DuckDuckGo. Either of them will preserve your privacy much better.
Not Migrating: Windows Security Considerations
Just because I’m convinced Linux has a better security posture than Windows does not mean Windows is useless. And sometimes you just don’t need that much control to get things done. Frankly, a badly configured Linux box is as easily trashed as the average Windows box. Windows can be secured, but it’s more work.
When it comes to running as a server, it’s hard to beat Linux for smaller operations. For any computer connected to the Net full-time, I trust a Linux over any Windows box. But when your computer has only intermittent access to the Net, particularly for laptops and other mobile devices, the threat profile is inherently lower. What you still have to guard against are things like viruses and spyware.
And let’s be honest: To the fanboy of any OS, theirs will always be the best. To the average user lacking such loyalties, Linux is still lacking for desktop and laptop use. The Linux desktop is simply not that compelling. And for some uses, Linux is frankly inferior. Gaming? Windows; no contest. Multimedia? It’s a little more complex. On the one hand, Open Source can access more kinds of formats, and can manipulate them easily, and seldom pays much attention to DRM and other vendor controls. On the other hand, Linux seldom competes in terms of resource usage. That is, to play the same multimedia file on a particular machine running Linux requires more horsepower than the same machine with the same file running Windows. There are a dozen reasons for this, and I’m not going to chase rabbits. Frankly, most people aren’t geeky enough to pay much attention to a resource meter, even if they had one, and which ones would you trust? Otherwise, I’d say Linux typically runs standard operations on a lot less RAM.
Generic instructions on securing Windows are all over the place, and frankly contradictory at times. I’m not going to pretend I am an expert. All I know is what I have experienced in the years of running Windows on at least one of the systems in my home, and helping others with theirs.
Never, ever trust McAfee and Norton. Both have been bought out by major corporations who then fired all the chief developers. Not since Windows 95 days have they been any good, and often a great deal of trouble. I’ve used a large collection of the free AV offerings and some of the commercial ones. I used to love AVG, but they’ve gotten fat and slow. I still rather like Vipre from GFI, but it started causing me some problems last year. These days I favor Avast from Alwil. The free version is good enough, and the paid version is even better.
For spyware, it’s a toss-up between Super Anti-spyware and Malwarebytes. The former is a bit more aggressive with the advertising, so I give Malwarebytes the edge. I don’t trust any software firewall. There was a time when ZoneAlarm was useful, but when it was bought out by some Mossad front in Israel, I dropped it like a hot rock. Never trust a company run by a foreign government secret agency, regardless of which country. Always prefer a hardware firewall (or router), but if you are using a laptop and free wifi, the built-in firewall on Vista and Win7 is better than nothing.
Sites related to entertainment — movies, music, games, etc. — are your worst enemy. It’s the cool toys which are used to sucker you into a situation which compromises your system. All the more so if your tastes run to vice. If you gotta have it, don’t run Windows. If you can restrain yourself, standard protections work fine.
You may recall in my post on securing Firefox on RHEL 6, I noted there it’s the same tricks used on Windows. Download and install first the CCleaner and learn how to use it. Or, use BleachBit for Windows. The point is to make sure you have something which eats evercookies, in particular the LSO cookies from Flashplayer. Install those addons: Adblock, Flashblock, Ghostery. Make sure to configure them to do the blocking. Facebook fans, you’ll need to make sure you tell Ghostery it’s okay to display the stuff from Facebook Connect, or you won’t be able to play any of those silly games. Better yet, stay away from Facebook, MySpace and similar idiot-bait sites.
Don’t run Chrome. On both Windows and Linux right now, the slightest little bit of JScript on the page and it starts running like a fully loaded truck. I’ve noticed it pulls about 50% of both my CPU cores regardless of which OS it runs on, and that’s just too much to ask. Internet Explorer does not honor CSS very much, so a lot of pages using Cascading Style Sheets for formatting the display will look ugly in IE. Opera is in a high state of flux right now, needing some good extensions, but most of what they now have works poorly. Also, their JScript engine tends to go nuts now and then, refusing to work in some of the oddest places.
Once again, we have this recurring theme: Take control of your computer use. If it’s worth doing, then it’s worth becoming self-sufficient.
Sanity and Self-Sufficiency
In a previous post, I noted my interest in Linux and Open Source was primarily a matter of self-sufficiency, though I phrased it as a matter of having control over my computer. People want such control when they are ready to take responsibility for things, when they decide to be self-sufficient in some area of life.
In a broad general sense, self-sufficiency has a bad reputation in this world. It’s called everything else, including isolationism, tribalism, paranoia, etc. Those of us reaching for more self-sufficiency have no beef with the rest of humanity doing what they please, we just don’t want to be vulnerable when it serves no good purpose. There are plenty of things in this life where being open to injury is utterly necessary, and absorbing abuse is good and right. That’s what mysticism does to you; it makes you believe some things here aren’t as important as they seem because there are issues somewhere else, on another plane, which take priority. By the same token, such a concern over higher priorities will inevitably result in choices for greater self-sufficiency, if only to avoid unnecessarily burdening others.
In the virtual world, the Internet landscape, it is absolutely necessary we cooperate. Indeed, the Internet is the ultimate voluntary community. There is a certain necessary assumption in the very nature of the thing which calls for a high level of self-sufficiency in some areas, and somewhat more dependence in others. Failure to discern where those lines should be drawn is what makes it so ugly for the rest of the Net. For example, I note frequently the International Merchant Culture, with it’s utterly mercenary spirit, does everything in its power to subvert the nature of the Internet. That they aren’t strongly opposed is part of what makes the Net work, but using technology to route around them, as if they were some kind of damage or bottleneck, is wholly justified. If you want to block advertising and in your browser, it is entirely appropriate. They call it unfair, with all sorts of dire warnings this will hinder paying the bills for keeping good content on the Net, but I’m not so sure their content will be missed, since what they fund never fails to be self-serving. The mainstream media is, as a whole, a liar first and foremost. Sure, some decent folks will be caught in the middle, but nothing is simple. By using technology to frustrate their power grab, we remind Merchants it is all cooperative.
I don’t see WordPress, the host of this blog, suffering much by the lack of advertising on my blog, for instance. There are a few people who manage to do business without cutting throats, but I find them few and far between.
It’s that same evil mercenary spirit of the Merchant Culture which causes me to distrust them in my choice of operating system. I count Red Hat as a company generally lacking in the mercenary instinct, in part because such instinct simply won’t fit in with using Linux in the first place. Red Hat doesn’t contribute much to making Linux pretty or fun, but their developers are the single greatest source of kernel patches, and security improvements in general. If you want the extra toys and eye candy, you’ll have to get them for yourself. That’s self-sufficiency, particularly in the issues where you should have it. Where you should be able to trust them, with the arcane science of Linux internals, I find them trustworthy. It’s a compromise, and it works for me.
All the more so when the Merchant Culture is not the only threat in the Net. It’s not just the lawless crackers and Internet mafia folks, either, but governments. A particularly significant threat is the US government. The Internet was born here in the US, and it was a government project. However, it was funded by government because no one else could afford it in its infancy. Really expensive computers operated by academics at colleges and government research labs were government property, though not always owned by the same government entity. Basically, it was not really a government operation, but an academic one. The government was actually quite slow to catch on to its value. It was a large collection of academics, government employees, and some brilliant independent scientists who got it roaring before the ruling elite awoke to its power.
Here in the US in particular, government elites still say with a straight face they are simply serving the people. Since they promote this mythology, they have to come up with all sorts of fresh manipulations and lies when “We the People” who supposedly rule decide to do something with what our taxes have wrought, which activities tend to interfere with their Olympian plans. Yes, we know it’s all a big lie, but they are the ones who keep saying it’s our nation and our government, and they simply carry out our wishes. If our actions prove they are lying, because there is a conflict between what they say are our wishes versus what we clearly and obviously intend to do against their wishes, then they should have sense enough to realize they failed us. They usually do, but utterly lacking in any moral sense, they blame us.
I lose no sleep at night defying their wishes. A significant element in my choice to run Red Hat (or its clones CentOS and Scientific Linux) is defying elements of their unjust grab for power over my computer. I, for one, am utterly certain there are backdoors in Windows wide open to the NSA and other government agencies. While the federales have certainly poked their fingers in my eye once or twice intentionally, I rather suspect they don’t have the resources to pay attention to me right now. That doesn’t mean they won’t harm me, if nothing else, while targeting someone else.
By no means would I expect anyone going to jail for the crime of setting loose the Stuxnet worm on the Net. Not the real crooks, anyway. The government thugs already have laws on the books forbidding them doing such things, but they consider themselves a class apart; such laws apply to “We the People.” On the one hand, we hear this is one of the best constructed viruses ever. When reports came out later saying it wasn’t so brilliant after all, I figured that was at least partly lying propaganda, trying to put out the fire after the fact. If you ask me, having that nasty thing hit other computer systems besides the ones in Iran was just a part of their cover, a plausible deniability factor. Who’s to say their next nasty attack won’t hit ordinary folks like you and me? If it destroys the systems of a bunch of We the People mundanes, it’s just part of taxation, as far as they are concerned.
Somewhere between the need for security and need to get things done without wasting too much time, I find running Red Hat a pretty good compromise. You may well find the balance somewhere else, and I applaud you for at least looking into it and deciding for yourself. It occurs to me a greater mix, a proliferation of differing and distinctive operating systems connected to the Net, instead of the near-monopoly of Windows, would reduce the botnets and spam, not to mention the unintended consequences of government sponsored evil.
RHEL for the Clueless: Securing Firefox
How secure is “secure”? Nobody can decide for you. What I offer here is the measures I take before browsing the Net. From what I can tell, these measures are effective in that the data-mining and marketing industry has a very poor idea of who and where I am. Try looking yourself up on sites like Spokeo or Zabasearch to get an estimate of your online data trail. While your webbrowser is not the only source, nor even a major source, of such information, it is a part of the bigger effort. The whole idea is to make those data mining sites as inaccurate as possible. And maybe you don’t care, but for those who do, I’d like to suggest a few configuration changes to improve things.
In the Firefox menu, select Edit > Preferences, then go to the Privacy tab. It’s almost blank, but if you hit the first drop-down button, you’ll see the option “Use custom settings for history.” This gives you access to detailed settings otherwise hidden. I set my browsing history at 9, and consider that loose, but convenient. It also speeds up the response of the URL bar when typing directly into it, since it’s not keeping a mile-long list. On the cookies settings, I accept third party cookies because too many sites I use require it for login. Then I select the “keep” policy at “Ask me every time.” That way I can train Firefox to block cookies I don’t want.
The policy of cookie blocking is three levels: (1)accept always, (2) session cookies only (temporary until you close the browser) and (3) blocked. Every time you go to a site, you get to set the policy for each individual source of all the cookies that site tries to give you. It’s work, but eventually your browser learns enough you won’t see the popup control dialog so often. It helps if you are familiar with the major advertising and tracking companies out there, as I am. Also, if it matters to you, come back to this tab from time to time and click the button marked “Show Cookies…” to see what is in your browser’s cookie cache at that time. To see what the policies are regarding each server domain name you’ve encountered — maybe you clicked the wrong button one one when the dialog popped up — try the button marked “Exceptions…” You can reset them by removing the server name, and even re-enter it manually right then if you like.
Now let’s add some extensions which will make your security stronger. In the menu line, click Tools > Add-ons. At the top of the dialog window select “Get Add-ons”. This will take you directly to the repository for Firefox addons. First, type in the search box “flashblock” — the first item it lists should be the Flashblock add-on. This is more than just an annoyance issue of uncontrolled Flash advertising. Flashplayer keeps cookies, too, in a separate place. If you only play the ones you want, there are fewer Flash cookies to deal with. Install it and restart Firefox. You don’t have Flashplayer, yet, but we’ll fix that soon enough.
Next, in similar fashion search down Adblock. Again, it’s not just the annoyance, but the images have cookies buried in them. They sit in your browser’s image cache and can be read by other servers trying to assemble a profile by tracking your habits. Each image will contain an identifying tag which is invisible when the image is displayed. Configure this to connect to the default listing server.
Do this for the Ghostery add-on, too. This actively blocks the most egregious tracking companies. Once installed, it has a wizard to set it up. Among the options, you should enable the active blocking and click “All” for the listing it shows. For fun, I enable the “bubble” option which opens a tiny square listing the servers blocked on each page. The wizard doesn’t show it, but if go back later and click on Ghostery in your Tools > Add-ons dialog, you’ll see a button for setting preferences, which offers more detail. I set the bubble to appear in the lower right-hand corner.
Thus far, these are things you can do on Windows, Mac, and every other operating system for which you can get Firefox. I find the other security add-ons a nuisance to use, because it requires too much specialized knowledge or are simply annoying to use. I really do not like No-Script. Though I actively hate JavaScript in the first place, too many sites are simply inaccessible unless you happen to select the correct combination of scripts to allow. It’s more control than I want or need.
Then there is the threat from “evercookies” — the cookies buried in some seven places in your system and can be regenerated each time you go online. In Windows land, you can install an add-on called “Click & Clean” and configure it to run CCleaner (from Piriform) every time the browser closes. CCleaner is quite intelligent about your cookies and keeps the ones you really have to have, and offers you a chance to change the default settings on them. The closest thing to that for Linux is BleachBit, which is Open Source and even has a Windows version. It’s not fully developed yet, so it may eventually offer features competitive with CCleaner. For now, it’s pretty darn good at eating evercookies.
Chase the link on that page for Linux, then notice they make a package for quite a few Linux distributions. There is currently no RHEL 6, but if there were, it would work fine with CentOS and Scientific Linux 6. Instead, we have to keep in mind: RHEL is basically built from the base of Fedora 13 (FC13). Remember that, and for now, download the Bleachbit package for Fedora 13.
Keep that download tool window open. You can install it from there. Just double click on the name once it has finished downloading. RHEL will pop up a dialog about installing it with the package manager. Once you say “yes” and give your root password, it should find the dependencies automatically, in this case, something called “python-simplejson”. If not, we’ll have to work on that later. Right now, the point is this process is automated enough you shouldn’t have to struggle with knowing too much detail.
Once it’s installed, you can find Bleachbit in the menu: Applications > System Tools. Open the application and take a look at the check boxes for different applications it knows how to clean. For Firefox, I recommend you check only Cache, DOM Storage, Session restore, and Vacuum. Then you’ll need to find where Flash is listed and click both
items, Cache and Cookies. These are the places evercookies hide. I run it at the end of every day, to finish the process of what we accomplished in the other steps taken above.
That’s about as much as we can do without some extended training on paranoid surfing habits. Your Firefox is now pretty secure from the worst of the online tracking measures.
By the way, I’ve not found any spyware or viruses online which affect Linux, particularly Red Hat. There are several reasons, the main one being no one writes malware for Linux. It isn’t practical, though we could debate why. There is also this thing called SELinux, a set of measures developed by NSA so they could secure government Linux servers. In RHEL 5, it caused some trouble, and I always recommended folks disable it. But it’s come quite a long way since then, and we will be keeping it for RHEL 6. Part of what it does is prevent harmful changes to the system. Also, RHEL has a default firewall which is pretty tight. Given there are currently precious few real online security threats to Linux computers compared to Windows, what you have right now is about as secure as it gets and is still reasonably usable on the Internet.
Migrating from Windows to Linux: Security Considerations
First, we have to establish the context. The Internet itself is insecure, and it cannot be made secure. Even if you made your computer or your information cryptologically secure, you cannot prevent physical access to your computer or your person. Should the powers that be (government, corporate or criminal) determine to have your data, they will get it, or take your life instead. Quite often they will settle for simply gaining some measure of control over your system even as you have your hands on the keyboard. This is something easier to prevent.
There are things which can mitigate the risk. Those same powers that be are limited. They are limited in manpower and talent. Precious few are the truly talented computer experts they can hire, not only because there is a limited supply, but a great many of them are unwilling to work for those three entities. The simplest reason is those tend to be run by psychopaths, and psychopaths require a type and degree of control which the most talented of people seldom can tolerate. So there are a very large number of lesser talented people they hire, ranging all the way down to useless-but-loyal. The threat is mitigated by overwhelming size of the victim pool against a tiny pool of talented attackers.
In other words, the likelihood of you provoking sufficient interest from them that they would actively attack you, is tiny. They rely on automation, which has distinct limits. It relies on the vulnerability of the victim computers on the virtual level. This requires a high degree of expertise by them in crafting attacks which can’t be resisted, or which human behavior patterns indicate won’t be resisted. The latter is simpler and cheaper by far in terms of return on investment.
So the greatest threat to your computer security is the profit motive. Not all profit is measured in terms of currency, but each of those three primary threats are seeking profit in some way at your expense. They seek control over your computer and the data on it. You are seeking to raise the barrier against low-level threats requiring little effort from them, yet staying below the radar of more serious threats from a directly targeted attack. Your greatest weakness is ignorance.
For most Windows users, you are simply not permitted to know too much about securing your system. Thus, even if you have plenty of money to invest in computer security, and an honest supplier, it’s only as good as the underlying system itself. Windows is inherently less secure than any other system, because the fundamental design philosophy is aimed at something else. Microsoft feels compelled to play nice with corporate partners and governments, and against the common user. The user is not the primary customer. Criminals invariably find the same hidden entrances to your computer reserved for corporations and governments. The playing field is tilted against you. It’s not impossible to have good security, but with Windows the gap between default settings and high security is very wide, and often quite expensive to bridge in terms of third-party protection measures.
The path to greater security is highly obscured, actively hidden by Microsoft beyond a certain minimal level. You have to be a member of the club, pay the high fees for access to the official source of information, and agree not to divulge it under very heavy financial threat. The inner workings are very tightly guarded from you also by a significant wall of commercial advertising. The average user is constantly assured by the governments, corporations and criminals, too: This is as good as it gets. Those corporations include the ones which dominate the public information franchises. Breaking out of this matrix requires breaking strong taboos in the global merchant culture. It requires a significant bad experience, along with a general public sense of malfeasance in the entire ecosystem, for people to being seeking change.
The real issue is not superior technology, but different technology, a different approach to the basic questions of what computers should do. The Open Source approach is different from what everyone else expects. It is a matter of human cultural factors broad and subtle. Computer security is more about humans than their computers, but it’s a complex matrix of the humans involved on all sides of the virtual world — the users, the developers, the big players who have a hand in the final result. There are fewer commercial big players in the Linux world, and it’s almost off the radar of the average consumer.
In Linux generally, the default security is much higher from the start. Naturally, this means Linux is a also a bit more difficult to use at first; the learning curve is steep. It’s all the more steep because the majority of humans who have used computers have used Windows first, and Linux is quite different in many ways. Plenty of people make the transition easily enough, but frankly the candidates for migration are self-selecting — the sort of people who tend to be dissatisfied with Windows, looking for something different. That something different, at least with Open Source, costs less in terms of wealth, and more in terms of effort. It is also generally more secure, though we could argue all day why and how. The primary difference which no one can dispute is the lack of catering to governments, corporations and criminals. It’s also not user-centric, but developer-centric, and Open Source developers are almost uniformly paranoid about computer security.
On top of this, I’ve noted already in yesterday’s post how using Linux compels the user to learn more, to take more responsibility, thus, changing the security habits. Again, it is the user’s ignorance which is his worst enemy, and Linux as an environment strengthens that weakest link. The broader community of Linux users seldom operate from the profit motive, at least not directly. Since the software itself is an open product, the money has to come from service and support. The primary reason this makes so much money is because there is a huge market of folks who want the security they perceive Linux offers without the learning. The primary big money in Linux is service and support, followed by books and education courses. But if you are willing to learn, you don’t have to pay, because the same information is already freely available, to any depth you wish to explore.
Outrigger: 14
It was one of those rare moments when Ripley had a break. Leaned back in his chair, he stared out the window at the light traffic visible in gaps between the other buildings around the warehouse.
Krumm walked in carrying his laptop and a pair of headsets. “I really need for you to listen in on a phone conversation.”
Ripley sat up. “Um, okay.”
Krumm pulled up a chair against the front of Ripley’s desk. He placed the laptop, and plugged both headsets in, then opened the cover. “I’m going to use VOIP because our broadband is more secure than the land-line,” he explained. He handed a set of headphones to Ripley, then donned the other set, which had a boom microphone built into it.
Ripley was just one notch above bored. He listened as the software finally got a dial tone. The number was speed-dialed, and it rang enough times to make Ripley wonder if anyone was going to pick it up. Krumm seemed unconcerned. Eventually the connection was made, but there as a lot of noise in the background on the other end. The voice was hard to pick out, and Ripley didn’t recognize it.
Krumm smiled, “Caught you working, eh?”
The voice responded, “Not quite yet. What’s up?”
“My neighbors seem utterly certain we are facing a major attack in the valley, probably in the next few days. Why do I feel like the bunker isn’t going to save us?”
There was an unrecognizable sound on the other end — laughter? “It’s compromised. Tell your co-workers to pack a bug-out bag, something they can hold in their laps. The best ride is tomorrow just before dawn. An equipment convoy will pass by on the main drag where they have been hanging out. You can lock up their stuff in your bunker, but they won’t be coming back.” There was a pause. “Check your mail. Bye.”
The connection went dead. Ripley’s eyes were wide open. With a faint smile, but without a word, Krumm gently removed his headset from the stunned Ripley’s head, closed the lid on his laptop, and left. Halfway down the stairs, he heard Ripley moving, finally.
The noise of sudden activity and chatter from his co-workers didn’t follow him into the server room in the basement. He went to a workstation, logged in with a long password, then punched a few more keys after the screen came to life. It was simply black with colored letters. There on the screen was the following message:
I hope to continue hearing from you.
It was followed by a large block of gibberish characters, commonly referred to as a PGP Key, an encryption code for sending email to a specific recipient. Without the password, the recipient could never read it. While a few agencies with massive computing power could crack this, they would have to know which among the large number of such messages were worth pursuing. Krumm knew if he sent such a message from his laptop locally someone would notice, and it wouldn’t be anyone friendly. But there was a way around that.
He opened the link to his server back home and added the key to the keyring there. Using an encrypted link to a server was much more common than sending encrypted emails, and would not be noticed. This way, he could simply connect to his server and let it send the noisy traffic. The same electronic address for his server was used for plenty of other, standard traffic, so it would be hard for anyone to guess he had used it for secret messages.
Once that was done, he activated a script. All the official HTS data files would be gathered, indexed, and burned to a DVD. He made sure the system which handled this had a blank in the burner. He knew from recent checking it would fit on one disk. Once the data DVD had been checked for read-back, the script would command all the computers in the entire building to wipe their drives repeatedly. Sometime in the wee hours of the morning, all the computers in the place would be staring back at the world with blank screens, blank drives.
Krumm proceeded to pack his own bug-out baggage, but to fit on his bike, not his lap.
